Intel comes late to the game but will be delivering an embedded defense for Return Oriented Programming (ROP) types of cyber hacks. I first blogged about this back in Sept of 2016. Yes, almost four years have passed and I had hoped it would see the light of day much earlier.
The feature, to debut in the Tiger Lake microarchitecture in 2021 according to Intel, will be marketed as a Control-Flow Enforcement Technology (CET) that is designed to disrupt a class of exploits that seek to leverage bits of code that are already trusted. These ROP attacks use chunks of code from other software and hobble them together to create a malicious outcome. In the hacking world, it is similar to Frankenstein’s monster, where something grotesque is assembled from various innocent parts. ROP hacking techniques are great at evading detection and therefore a favorite among the higher classes of skilled threat actors.
Embedding the CET feature into the hardware and firmware provides a few advantages over trying to mitigate these attacks solely at the operating system level. First, there is the performance factor. Code that is specifically optimized by hardware moves significantly faster than traditional software components, so this should have a much less impact on system performance. Secondly, depending upon how it is configured to run, the hardware can add additional protection features to reduce the chances it can be disabled, modified, or compromised by adversaries.
Unfortunately, that is not the whole picture, as there are potential drawbacks for embedding such designs lower in the system stack. Namely, if there is a vulnerability in the code, it could be very difficult to patch or correct. Let’s face it, Intel’s reputation is not the greatest as of late when it comes to dealing with vulnerabilities in their products.
Overall, I am excited at the prospect of disrupting ROP types of attacks. I fully expect the best and brightest hackers will work to find ways around the protections, but that takes time and resources. This is how the game is played. It is great when new technology takes the initiative to force the attackers to adapt. The value for CET greatly depends on OS vendors’ adoption, if it has the right balance of features that are hardened, and if it runs with such efficiency that it does not overly burden system performance. Expects tests and reviews after Tiger Lake comes to market, to determine if it is simply a superficial marketing tactic or if CET represents a robust capability to mitigate hacking risks.